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CLAIMS: 



What is claimed is: 

1 . A system for protecting a file system of a computer, comprising: 

an interface operable to receive a selection of an item of the file system to be 
5 included in a safety zone; 

a memory in communication with the interface and operable to store information 
relating to the item; and 

a processor in communication with the memory and operable to intercept a system 
call which potentially could affect the item in the safety zone, and to process the system 
10 call to avoid permanent modification of the item. 

2. The system of Claim 1 , wherein the processor is operable to examine a 
composition, information structure, and normal status of the file system. 

15 3 . The system of Claim 1 , wherein the processor is operable to cause the 

computer to only boot from a hard disk drive of the computer. 

4. The system of Claim 1, wherein the safety zone comprises at least one of a 
file system, a drive, a directory, a file, or a registry for the computer. 

20 

5. The system of Claim 1 , wherein the interface is operable to present 
information about the safety zone. 

6. The system of Claim 1, wherein the processor is operable to present a user 
25 of the computer with an impression that the system call was executed even when the 

system call actually has not been executed. 

7. The system of Claim 1 , wherein the processor is operable to make the item 
transparent to a user of the computer. 

30 
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8. A method of protecting and recovering a file system in a computer, 
comprising the steps of: 

storing file system information obtained from examining an operating system and 
a file system structure in the computer; 

setting a safety zone based on selection of a target that is to be protected or 
recovered, wherein selection is made in response to input by an authenticated 
administrator; 

receiving a system call referencing a file pathname corresponding to the target; 
analyzing the system call to determine if the system call affects the target; and 
if said system call may affect the target, performing processing to avoid 
permanent modification of the target. 

9. The method of Claim 8, wherein performing processing comprises 
creating a copy of the target. 

1 0. The method of Claim 8, wherein performing processing comprises making 
the target transparent to a user of the computer. 

1 1 . The method of Claim 8, wherein performing processing comprises making 
the system call void. 

12. The method of Claim 8, comprising verifying a booting media for the 
computer to prevent use of abnormal booting media. 

13. The method of Claim 12, wherein the abnormal booting media comprises a 
floppy disk or a CD-ROM drive. 

14. The method of Claim 8, further comprising examining a composition, 
information structure, and normal status of the file system. 

15. The method of Claim 8, wherein the stored file system information 
comprises original file system information, and further comprising: 
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comparing the original file system information with current file system 
information; and 

replacing the original file system information with the current file system 
information if the original file system information and the current file system information 
5 are not identical. 

16. The method of Claim 8, wherein the target comprises at least one of a file 
system, a drive, a directory, a file, or a registry of the computer. 

1 7. The method of Claim 8, wherein the system call is for creating a target and 
wherein performing processing comprises: 

creating the target; and 

updating current file system information to show that the target has been created. 

1 8. The method of Claim 8, wherein the system call is for deleting a target and 
wherein performing processing comprises: 

when the target has not already been deleted, 
copying the target for recovery; and 

updating current file system information to show that the target has been 
deleted. 

19. The method of Claim 1 8, further comprising: 
when the target has already been deleted, voiding the system call. 

25 20. The method of Claim 8, wherein the system call is for renaming a target 

and wherein performing processing comprises: 

when the target has not already been renamed, 
copying the target for recovery; and 

updating current file system information to show that the target has been 
30 renamed. 

21 . The method of Claim 20, wherein the system call is for renaming a target 
and wherein performing processing comprises: 
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when the target has already been renamed, voiding the system call. 

22. The method of Claim 8, wherein the system call comprises searching for a 
target and further comprising: 

5 searching for the target using the current file system information. 

23 . The method of Claim 22, further comprises: 

searching for the target if the target is marked with renew, rename, or delete. 

10 24. The method of Claim 8, further comprising: 

recovering the target. 

25. The method of Claim 24, wherein the target is recovered by comparing the 
stored file system information to current file system information. 

26. The method of Claim 24, wherein the target is recovered by renaming a 
stored copy of the target. 

27. The method of Claim 8, wherein performing processing comprises 
preventing access to the target. 

28. The method of Claim 8, wherein the system call is for an interrupt and 
wherein processing further comprises: 

voiding the system call if processing the interrupt would affect partition 
information of the file system. 

29. A method of protecting and recovering a file system of a computer 
comprising: 

receiving a selection of an item to be included in a safety zone; 
30 intercepting a system call which potentially could affect the item in the safety 

zone; and 

performing processing responsive to the system call so that the item is not 
permanently modified. 
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30. The method of Claim 29, further comprising updating file system 
information on a data storage device coupled to the computer with file system 
information from a disk drive coupled to the computer. 

5 

3 1 . The method of Claim 29, wherein performing processing comprises 
voiding the system call. 

32. The method of Claim 3 1 , wherein performing processing comprises 

10 providing a user of the computer with an impression that the system call was executed. 

33. The method of Claim 29, wherein performing processing comprises: 
determining that the system call is a find file request; and 
if execution of the find file request would access an item in a safety zone, 

performing the find file request without accessing the file system. 

34. The method of Claim 29, wherein performing processing comprises 
making a copy of the item. 

3 5 . The method of Claim 29, wherein performing processing comprises 
making the item transparent to a user of the computer. 

36. The method of Claim 29, wherein performing processing comprises 
making the system call void. 

37. The method of Claim 29, comprising verifying a booting media for the 
computer to prevent use of abnormal booting media. 

38. The method of Claim 29, further comprising storing original file system 
30 information. 

39. The method of Claim 38, further comprising: 
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comparing the stored original file system information with current file system 
information; and 

replacing the original file system information with the current file system 
information if the original file system information and the current file system information 
5 are not identical. 

40. The method of Claim 29, wherein the item comprises at least one of a file 
system, a drive, a directory, a file, or a registry of the computer. 

41 . The method of Claim 29, wherein the system call is for creating an item 
and wherein performing processing comprises: 

creating the item; and 

updating current file system information to show that the item has been created. 

42. The method of Claim 29, wherein the system call is for deleting an item 
and wherein performing processing comprises: 

when the item has not already been deleted, 
copying the item for recovery; and 

updating current file system information to show that the item has been 
deleted. 

43. The method of Claim 42, farther comprising: 
when the item has already been deleted, voiding the system call. 

25 44. The method of Claim 29, wherein the system call is for renaming an item 

and wherein performing processing comprises: 

when the item has not already been renamed, 
copying the item for recovery; and 

updating current file system information to show that the item has been 
30 renamed. 

45. The method of Claim 44, wherein the system call is for renaming an item 
and wherein performing processing comprises: 
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when the item has already been renamed, voiding the system call. 

46. The method of Claim 29, wherein the system call comprises searching for 
an item and further comprising: 

5 searching for the item using the current file system information, 

47. The method of Claim 46, further comprises: 

searching for the item if the item is marked with renew, rename, or delete. 

10 48 . The method of Claim 29, wherein performing processing comprises 

recovering items in the safety zone. 

2 49. The method of Claim 48, wherein recovering occurs periodically. 

f y 1 5 50. The method of Claim 48, wherein recovering occurs upon reboot. 

JX 51. The method of Claim 48, wherein the item is recovered by comparing the 

stored file system information to current file system information. 

? i 
f=| 

§i 20 52. The method of Claim 48, wherein the item is recovered by renaming a 

23? stored copy of the item. 

53. The method of Claim 29, wherein performing processing comprises 
preventing access to the item. 

25 54. The method of Claim 29, wherein the system call is for an interrupt and 

wherein processing further comprises: 

voiding the system call if processing the interrupt would affect partition 
information of the file system. 

30 55. A method of protecting and recovering a file system of a computer 

comprising: 
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receiving a selection of an item to be included in a safety zone from an 
administrator; 

intercepting a system call received from a user which potentially could affect the 
item in the safety zone; and 
5 performing processing responsive to the system call so that the item is not 

permanently modified. 

56. The method of Claim 55, further comprising: 
authenticating the administrator. 

57. The method of Claim 56, further comprising: 
receiving authorization information from the administrator; and 
comparing the received authorization information to stored authorization 

information to determine whether to authenticate the administrator. 

58. The method of Claim 55, wherein the item is a first item, further 
comprising: 

receiving a selection of a second item to be included in an open zone from an 
administrator. 

59. The method of Claim 58, wherein the second item may be permanently 
modified. 

60. The method of Claim 58, wherein the item is a first item, further 
25 comprising: 

receiving a selection of a second item to be protected from an administrator. 

6 1 . The method of Claim 60, further comprising: 
restricting user access to the second item. 

30 

62. The method of Claim 55, wherein the item is stored as an original item, 
and wherein performing processing comprises: 

creating a copy of the original item; 
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storing the copy for recovery; and 
allowing a user to access the original item. 



63. The method of Claim 55, wherein performing processing comprises 
5 making the item transparent to a user of the computer. 

64. The method of Claim 55, wherein performing processing comprises 
making the system call void. 

10 65. A computer-readable storage medium storing a computer program 

executable by one or more computers, the computer program comprising computer 
instructions for: 

receiving a selection of an item to be included in a safety zone; 
intercepting a system call which potentially could affect the item in the safety 
15 zone; and 

performing processing responsive to the system call so that the item is not 
permanently modified. 

66. The computer-readable storage medium method of Claim 65, wherein 
20 performing processing further comprises instructions for voiding the system call. 

67. The computer-readable storage medium method of Claim 66, wherein 
performing processing further comprises providing instructions for providing a user of 
the computer with an impression that the system call was executed. 

25 

68. The computer-readable storage medium method of Claim 65, wherein 
performing processing further comprises instructions for: 

determining that the system call is a find file request; and 
if execution of the find file request would access an item in a safety zone, 
30 performing the find file request without accessing the file system. 
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69. The computer-readable storage medium method of Claim 65, further 
comprising instructions for verifying a booting media for the computer to prevent use of 
abnormal booting media. 

5 70. The computer-readable storage medium method of Claim 65, further 

comprising instructions for: 

storing original file system information; 

at a later time, comparing the stored original file system information with current 
file system information; and 
10 replacing the original file system information with the current file system 

information if the original file system information and the current file system information 
are not identical. 

7 1 . The computer-readable storage medium method of Claim 65, wherein the 
system call is for creating an item and wherein performing processing further comprises 
instructions for: 

creating the item; and 

updating current file system information to show that the item has been created. 

72. The computer-readable storage medium method of Claim 65, wherein the 
system call is for deleting an item and wherein performing processing further comprises 
instructions for: 

when the item has not already been deleted, 
copying the item for recovery; and 

updating current file system information to show that the item has been 
deleted. 

73. The computer-readable storage medium method of Claim 65, wherein the 
system call is for renaming an item and wherein performing processing further comprises 

30 instructions for: 

when the item has not already been renamed, 
copying the item for recovery; and 
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updating current file system information to show that the item has been 
renamed. 



74. The computer-readable storage medium method of Claim 65 , further 
5 comprising instructions for recovering items in the safety zone. 

75. The computer-readable storage medium method of Claim 74, wherein the 
item is recovered by renaming a stored copy of the item. 

76. The computer-readable storage medium method of Claim 65, wherein 
10 performing processing further comprises instructions for preventing access to the item. 

77. The computer-readable storage medium method of Claim 65, wherein the 
system call is for an interrupt and wherein processing further comprises instructions for: 

voiding the system call if processing the interrupt would affect partition 
1 5 information of the file system. 
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